Understanding the Role of Registrars in DNSSEC Deployment

Taejoong Chung Roland van Rijswijk-Deij David Choffnes Northeastern University University of Twente and SURFnet Northeastern University Dave Levin Bruce M. Maggs Alan Mislove University of Maryland Duke University and Northeastern University Akamai Technologies Christo Wilson Northeastern University

ABSTRACT ACM Reference format: The Domain Name System (DNS) provides a scalable, flexible name Taejoong Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, resolution service. Unfortunately, its unauthenticated architecture Bruce M. Maggs, Alan Mislove, and Christo Wilson. 2017. Understanding the Role of Registrars in DNSSEC Deployment. In Proceedings of IMC ’17, has become the basis for many security attacks. To address this, DNS London, United Kingdom, November 1–3, 2017, 14 pages. Security Extensions (DNSSEC) were introduced in 1997. DNSSEC’s https://doi.org/10.1145/3131365.3131373 deployment requires support from the top-level domain (TLD) reg- istries and registrars, as well as participation by the organization that serves as the DNS operator. Unfortunately, DNSSEC has seen poor 1 INTRODUCTION deployment thus far: despite being proposed nearly two decades ago, The Domain Name System (DNS) [31] provides name resolution for only 1% of .com, .net, and .org domains are properly signed. the Internet, mapping human-readable names (e.g., example.com) In this paper, we investigate the underlying reasons why DNSSEC to machine-routable IP addresses (among other things). As DNS was adoption has been remarkably slow. We focus on registrars, as most designed without end-to-end authentication, attackers have leveraged TLD registries already support DNSSEC and registrars often serve it as a basis for myriad attacks, such as DNS hijacking [7, 25] and as DNS operators for their customers. Our study uses large-scale, cache poisoning [38]. longitudinal DNS measurements to study DNSSEC adoption, cou- DNS Security Extensions (DNSSEC) [17] were proposed two pled with experiences collected by trying to deploy DNSSEC on decades ago to address threats like these. DNSSEC allows clients domains we purchased from leading domain name registrars and (typically DNS resolvers) to verify the integrity and authenticity of resellers. Overall, we find that a select few registrars are responsible DNS records. It has also been leveraged to enhance the security of for the (small) DNSSEC deployment today, and that many leading other protocols: For example, DANE (DNS-based Authentication of registrars do not support DNSSEC at all, or require customers to take Named Entities) [41] enables domain holders to publish their public cumbersome steps to deploy DNSSEC. Further frustrating deploy- keys and authorized certificate authorities in DNS records. ment, many of the mechanisms for conveying DNSSEC information DNSSEC derives its security properties from its hierarchical pub- to registrars are error-prone or present security vulnerabilities. Fi- lic key infrastructure (PKI). The DNSSEC PKI establishes chains of nally, we find that using DNSSEC with third-party DNS operators trust that mirror the structure of the DNS hierarchy, with the root of such as Cloudflare requires the domain owner to take a number of trust in the DNS root zone. Critically, this means that a domain in steps that 40% of domain owners do not complete. Having identified zone z can be authenticated only if all zones in the DNS hierarchy several operational challenges for full DNSSEC deployment, we from the root to z support DNSSEC. Fortunately, there has been make recommendations to improve adoption. considerable work towards deployment near the top of the hierar- chy. After the DNS root zone’s key was created in July 2010, many top-level domains (TLDs) have become DNSSEC-enabled; recent Permission to make digital or hard copies of all or part of this work studies [23, 40] have reported that 90.5% of generic TLDs (gTLDs, for personal or classroom use is granted without fee provided that for example .com) and 47% of country-code TLDs (ccTLDs, for copies are not made or distributed for profit or commercial advantage example .nl) are now DNSSEC-enabled. and that copies bear this notice and the full citation on the first page. Unfortunately, even though most TLDs now support DNSSEC, Copyrights for components of this work owned by others than the adoption by second-level domains (e.g., example.com) remains author(s) must be honored. Abstracting with credit is permitted. To quite low [4, 8, 29, 40, 49]; our recent work [8] shows that only 0.6% copy otherwise, or republish, to post on servers or to redistribute of .com domains and 1.0% of .org domains have DNSKEY records1 to lists, requires prior specific permission and/or a fee. Request published. Worse, even among those domains that did attempt to permissions from [email protected]. IMC ’17, November 1–3, 2017, London, United Kingdom deploy DNSSEC, we found significant levels of misconfiguration that resulted in incorrectly signed DNSSEC domains. For example, © 2017 Copyright held by the owner/author(s). Publication rights licensed to Association for Computing Machinery. 31% of domains that support DNSSEC fail to publish all relevant ACM ISBN 978-1-4503-5118-8/17/11. . . $15.00 https://doi.org/10.1145/3131365.3131373 1We review all relevant DNSSEC records in Section 2. IMC ’17, November 1–3, 2017, London, United Kingdom T. Chung et al. records required for validation, meaning DNSSEC-enabled clients security vulnerabilities (four of the seven registrars did not verify are unable to validate their records. the authenticity of the incoming email, and one even accepted an In this paper, we explore why DNSSEC deployment remains so email from a different email address than the one that registered small, and why there are high levels of misconfiguration of DNSSEC the domain), and web chat to be error-prone (one of the registrars records. We focus primarily on DNS registrars—the entities that accidentally installed our provided DS record on someone else’s sell domain names and often operate the authoritative nameservers— domain). to better understand how different registrar policies have led to • Among the top 10 DNSSEC-supporting registrars, we find many the current state of affairs. Registrars play a critical role in the of them are from the Netherlands or Sweden. Historically, both deployment of DNSSEC, as domains where the registrar is the DNS .nl and .se have provided financial incentives for registrars to operator are entirely at the mercy of the registrar to support DNSSEC. support DNSSEC (with auditing for compliance), and we observe Even for domains where the domain owner is the DNS operator, the many registrars that properly support DNSSEC for these TLDs registrar must still upload a DS record to the registry to complete the but not for others. DNSSEC deployment. Most prior studies of DNS registrar behavior have relied on active • Finally, we examine how third-party DNS operators such as Cloud- scans or large-scale data from zone files. Understanding what regis- flare interplay with DNSSEC. We find the process of deploying trars allow and how they behave, however, requires a different form DNSSEC using these services to be error-prone, as customers of measurement study: in this work, we examine large-scale, longi- must obtain a DS record from the third-party DNS operator and tudinal DNS measurements and provide the first systematic study of upload it to their registrar. This is done successfully by only 60% the entire DNSSEC deployment process from a customer’s perspec- of domain owners. tive (by purchasing domains from leading domain name providers). Taken together, our results uncover many of the reasons why Only by using this hands-on approach can we observe what domain DNSSEC adoption has remained low, but provide ways forward owners experience. Overall, we purchased domains from the most to better incentivize DNSSEC deployment. We have been respon- popular 20 registrars (responsible for 54.3% of all .com, .net, and sibly disclosing security issues to the registrars we interacted with, .org domains), as well as the 10 registrars that operate the large but there is a long way to go before DNSSEC deployment becomes number of domains with DNSKEYs (covering 84.6% of such domains simple, secure, and universally available to domain name owners. in .com, .net, and .org). In many cases, we find that we have to file To allow other researchers and administrators to reproduce and ex- support tickets or email the registrar in order to successfully deploy tend our work, we publicly release all of our analysis code and data DNSSEC. (where possible2) to the research community at We couple our hands-on registrar measurements with 21 months https://securepki.org of daily snapshots of DNSSEC records for all signed .com, .net, and .org second-level domains, 11 months of daily snapshots of Outline The remainder of this paper is organized as follows. Sec- DNSSEC-enabled .nl second-level domains, and seven months of tion 2 provides background on DNSSEC and Section 3 gives an daily snapshots of DNSSEC-enabled .se second-level domains. We overview of related work. Section 4 provides more detail on the choose .nl and .se as these have some of the highest levels of TLDs that we study and our daily scans. Section 5 explores the DNSSEC support among TLDs [12]. Looking at this historical data behavior and policies of the most popular registrars, while Section 6 allows us to see how the policies we observe as a customer are examines the behavior and policies of the registrars with the largest correlated with each registrar’s DNSSEC track record. number of DNSSEC-enabled domains. Section 7 examines third- Individually, many of our results are anecdotal, but taken together, party DNS operators such as Cloudflare, and Section 8 concludes. they paint a picture of why DNSSEC deployment remains at 1% of second-level domains, even though DNSSEC was originally pro- 2 BACKGROUND posed 20 years ago. Concretely, we observe that: In this section, we provide an overview of DNS, DNSSEC, and the • The support for DNSSEC is skewed to a small number of registrars. various entities involved in the management of the DNS infrastruc- Covering 50% of all .com, .net, and .org domains requires the ture. top 26 registrars, but covering the top 50% of those domains that DNS and DNSSEC DNS is a distributed database that stores records properly support DNSSEC requires just two registrars. that map domain names to values. For example, the IP address of • Among the top 20 registrars, only three support DNSSEC when example.com can be obtained by looking up the A record associated the registrar is the DNS operator. Only one (NameCheap) does so with the name example.com. DNS’s logical namespace is divided by default, and then only does so for some of their more expensive into zones, each of which represents a contiguous set of domain plans. The other two registrars either require the customer to opt-in names controlled by a single organization (e.g., the example.com (OVH) or to pay $35 per year (GoDaddy). zone may control names like www.example.com, but may further delegate *.test.example.com, thereby creating another zone). • Not all of the registrars we study support DNSSEC even when the owner is the DNS operator. Of those that do, 12 provide a 2Our .com, .net, .org and .nl zone files are collected under web form for customers to upload DS records while seven require agreement with the zone operators; while we are not permitted to human intervention by contacting the registrar (e.g., via email or release this data, we provide links where other researchers can obtain chat) to do so. We found most web forms to be inadequate (ten access themselves. For the .se zone file, which is open data, we of the 12 registrars do no validation), emails to present obvious release it through OpenINTEL [36]. Understanding the Role of Registrars in DNSSEC Deployment IMC ’17, November 1–3, 2017, London, United Kingdom

Unfortunately, the original DNS protocol lacked many security given organization can serve as a registrar for certain TLDs features (e.g., authentication of records), making DNS vulnerable to and a reseller for others. numerous attacks, such as DNS hijacking [7, 25] and cache poison- DNS Operators are organizations that run authoritative DNS servers. ing [38]. To defend against such threats, DNS Security Extensions Each domain name has a DNS operator, and a given opera- (DNSSEC) [1–3, 16] were introduced in 1997. DNSSEC employs tor may serve as the authoritative DNS server for multiple cryptographic mechanisms to verify records’ integrity and authentic- domains. ity. To achieve these goals, it is essential for each zone to provide Whenever a registrar (or a reseller, via a registrar) sells a domain three record types: name, it must update the registry. It provides several pieces of infor- DNSKEY records are public keys. Zones sign DNS records with the mation, but the two most crucial parts (and the parts of interest to corresponding private keys, and resolvers use the DNSKEY to this paper) are two DNS records that get inserted into the TLD zone verify these signatures. Each zone usually creates two DNSKEY file: the NS record set (the identity of the authoritative nameservers records (called the KSK and ZSK) to sign DNS records: the of the DNS operator, referred to as delegation of the domain) and, private key of the KSK is used to sign DNSKEY records, and optionally, the DS record set (if the domain supports DNSSEC). the private key of the ZSK is used to sign all other records. Throughout the remainder of the paper, we will refer to registrars RRSIG (Resource Record Signature) records are cryptographic sig- as the entities that sell domain names; this should be interpreted as natures of other records signed using a DNSKEY’s correspond- registrar or reseller. When the distinction becomes important, we ing private key. RRSIGs are applied to the set of all records will note it explicitly. associated with a given name and type. For instance, all NS Registrar vs. external DNS operator Many registrars offer cus- records for example.org will be authenticated by a single tomers two options when purchasing a domain: (1) the customer can RRSIG. ask the registrar to serve as the authoritative nameserver (i.e., the DS (Delegation Signer) records are essentially hashes of DNSKEYs registrar is the DNS operator), or (2) the customer can run their own that are uploaded to the parent zone by registrars. To ensure authoritative nameserver for its new domain (i.e., the owner is the integrity, DS records also need to be signed by the parent DNS operator). In the former case, the authoritative nameserver for zone (in the RRSIG of DS records). Hence DNSSEC can only the domain will be listed as one in the registrar’s domain, and the function correctly when there are valid DS records from root registrar usually provides the customer with a web-based interface to leaf, thereby establishing a chain of trust. where they can modify the contents of their domain. For example, if For more details on the correct validation of DNSSEC records, we a customer purchased example.com from Bluehost and chose regis- refer the reader to our previous work [8]. trar hosting, the NS record for example.com would be a machine in bluehost.com Registry, Registrar, Reseller, and DNS Operator Since much of the domain. the focus of this paper is on the organizations that sell (and often host) For domains that support DNSSEC, the responsibility for main- DNSKEY RRSIG DS domains, we provide a brief overview here. There are four kinds taining DNSSEC records (e.g., s, s, records) falls on of organizations that play a role in the domain name registration the DNS operator. If this is the registrar, and if the registrar supports process. DNSSEC and manages DNSSEC correctly, it is the registrar who will generate DNSKEYs and RRSIGs for DNS records. If this is the Registries are organizations that manage top-level domains (TLDs); owner, the owner must generate and maintain all DNSSEC records. each TLD has exactly one registry. The registry maintains the TLD zone file (the list of all registered names within that Uploading DS records If a domain operator wishes to support zone), and works with registrars to sell domain names to the DNSSEC, a DS record for the domain must be uploaded to the reg- public. For example, Verisign serves as the registry for .com.3 istry in order to establish a chain of trust. However, only registrars In many cases, registries do not have any direct contact with can upload DS records to the registry. customers. Thus, if the domain’s DNS operator is the registrar, they can Registrars are organizations that are accredited by ICANN4 and simply upload the DS record by directly accessing the registry. Un- certified by registries to sell domains to the public. They have fortunately, if the domain’s DNS operator is the owner, the situation direct access to the registry, which enables them to process is more complicated because the owner must somehow convey the DS new registrations. record to the registrar. To this end, a registrar may provide customers Resellers are organizations that sell domain names, but are either with a web-based interface to submit DS records, or may allow cus- not accredited (by ICANN) or certified (by a given TLD’s tomers to transmit DS records via an out-of-band mechanism such registry). Typically, resellers partner with registrars in order as by e-mail or telephone. Moreover, if a registrar does not support to sell domain names, and relay all information through the any methods for customers to upload DS records, the domain cannot registrar. For example, if a registrar wants to sell domains of support DNSSEC as the domain’s chain of trust will be broken due a TLD that it is not accredited to access, it can partner with a to the missing DS record. Hence, the registrars’ policy for uploading registrar for that TLD, thereby becoming a reseller. Thus, a DS records to the registry plays a crucial role in whether domains purchased through that registrar can support DNSSEC. 3A full list of all TLDs and registries can be viewed at For DNSSEC to function properly, it is essential that a complete https://www.icann.org/resources/pages/listing-2012-02-25-en. chain of trust (RRSIG, DNSKEY, and DS record) exists. Unfortunately, 4ccTLD registries often have their own accreditation require- this is often not the case. In this paper we distinguish between ments. partial and full DNSSEC deployments: A domain that publishes IMC ’17, November 1–3, 2017, London, United Kingdom T. Chung et al.

DNS Operator Third-party Owner Reseller Registrar Registry

1 Registrar DS DS

2 Reseller DS DS DS

3 Owner DS DS DS

4 Third-party DS DS DS DS

Figure 1: A diagram of full deployment vs. partial deployment Figure 2: Steps in the process for inserting a DS record into the of DNSSEC by a domain. It is important to note that partially registry when the DNS operator is (1) a registrar, (2) a reseller, deployed domains do not properly validate, as they are missing (3) the owner, and (4) a third-party. In each case, it is the DNS DS records. operator who actually generates the DS record; it then has to be handed off (potentially up to three times) to make it to the registry. Not shown is the case where a customer buys a domain from a reseller and uses a third-party DNS operator (adding yet DNSKEY and RRSIGs and uploads DS records is called fully deployed another handoff). DNSSEC, while a domain that has DNSKEYs and RRSIGs but that does not upload DS record (and therefore cannot be validated) is CDNSKEY and CDS records from their zone configuration settings.9 called partially deployed DNSSEC as illustrated in Figure 1. Unfortunately, CDS and CDNSKEY have thus far seen very little adop- From a security perspective, a partial deployment has limited tion by registries, leaving us with the manual processes described value, since there is no way to verify DNSSEC signatures.5 This above. makes it all the more important that DNSSEC deployment is done correctly, as any missing link the chain would prevent a domain’s Third-party DNS operators Recently, we have observed the records from being validated. In the remainder of this paper, we growth in popularity of organizations that provide management of study key points in the domain registration and operation process DNS records, but do not serve as registrars; we refer to these organi- where DNSSEC deployment breaks down and missing functionality zations as third-party DNS operators. These organizations serve as leads to partial deployments. authoritative nameservers for customers, manage DNS records, and often provide security services such as distributed denial-of-service Automating DS uploads Uploading DS records manually or out-of- (DDoS) prevention. One prominent example of such a service is band can be error-prone6 and can open up security vulnerabilities Cloudflare. With a third-party DNS operator, properly deploying (e.g., if an attacker can convince a registrar to accept an incorrect DNSSEC is even more complicated, as it is the third-party who DS record). To address these problems, the CDNSKEY (child DNSKEY) generates DNSKEYs and RRSIGs. Specifically, if the registry does not and CDS (child DS) record types were introduced in 2014 [26, 46]. In support CDS or CDNSKEY (which comprises all but one registrar at brief, these records automate DNSSEC delegation trust maintenance the time of writing), the third-party DNS operator does not have the by allowing an in-band mechanism for transmitting and updating authority to ask the registrar to upload a DS record; it must instead DS records. If a customer wants to replace its DS records with a new ask the customer to relay a DS record to the registrar. As we will one, the customer publishes a CDNSKEY or CDS record (or both) with see later in the paper, this convoluted process plays a role in why its RRSIG(s).7 Once the registry detects the presence of the CDNSKEY DNSSEC adoption remains low. or CDS record in one of its customers’ domains, it authenticates the As a summary, Figure 2 shows how the process for inserting record and then updates the DS record in the registry.8 Once the old DS records into the registry varies when the DNS operator is the DS record is replaced with new one, the customer can remove the registrar, a reseller, the owner, and a third-party.

5DNSKEYs for a domain could be delivered out-of-band even 3 RELATED WORK though the domain does not have a DS record, enabling an RRSIG In this section, we discuss studies of DNSSEC deployment and DNS to be validated by the DNSKEYs. However this is not the intended registrars. mechanism for deployment of DNSSEC. 6An anecdotal example is that the DS record for isoc.org was DNSSEC deployment We first discuss related studies of DNSSEC found to be incorrect at the 38’th ICANN meeting in 2010 due to a deployment, covering both server-side (DNSSEC-enabled domain) transcription error made when the DS record was manually entered and client-side (DNS resolver) studies. while dictated over a phone. This was discovered shortly before Server-side support: DNSSEC has attracted much attention from the press conference announcing the ISOC (The Internet Society) both research and industrial stakeholders. In early stage of deploy- DNSSEC deployment by one of our authors and fixed immediately. ment of DNSSEC, several studies measured the operational sta- 7 Since the DS record can be generated using the CDNSKEY, pub- tus of DNSSEC [34, 35] or operational challenges for wide de- lishing both a CDS and CDNSKEY is redundant but not incorrect. ployments [48]. More recently, studies found that 89% of generic 8 The operational methods for the registry to notice the CDNSKEY TLDs (gTLDs) and 47% of country-code TLDs (ccTLDs) supported and CDS record may differ; the registry can use tools that periodically check each of its customers’ domains to see if they have a CDS and 9Using CDS and CDNSKEY records, a customer can also request CDNSKEY record, or it can provide a web interface for the customer the registry to remove the current DS record by setting the algorithm to signal the parent zone to fetch the records. number of CDS or CDNSKEY to zero. Understanding the Role of Registrars in DNSSEC Deployment IMC ’17, November 1–3, 2017, London, United Kingdom

DNSSEC in 2016 [40], and that most major DNS server software Domains supports DNSSEC [14] as well. Additionally, a number of free TLD Measurement Period Percent Number with DNSKEY tools exist to help system administrators properly deploy DNSSEC, .com 2015-03-01 – 2016-12-31 118,147,199 0.7% such as DNSSEC Debugger [11] and DNSViz [15]. Recent studies .net 2015-03-01 – 2016-12-31 13,773,903 1.0% have also found, however, that DNSSEC adoption for second-level .org 2015-03-01 – 2016-12-31 9,682,750 1.1% domains remains low. Our recent study [8] showed that DNSSEC .nl 2016-02-09 – 2016-12-31 5,674,208 51.6% deployment is rare in the second-level domains (roughly 1% of .com, .se 2016-06-07 – 2016-12-31 1,388,372 46.7% .net .org and domains), but is growing. Some of the studies have Table 1: Overview of the datasets that we use for this study. The focused on the misconfigurations of DNSSEC: Adrichem et al.[43] number of overall domains and percentage that have DNSKEYs analyzed a sample of second-level domains and similarly found that published is as-of December 31, 2016. 4% exhibited misconfigurations. Dai et al.10 [ ] also found that 19% of second-level domains from the Alexa Top-1M could not establish a chain of trust from the root. One of the common causes was the failure to upload DS records; nearly 30% of .com, .net, and .org There are also several attempts to make it easier for third-party domains do not properly upload DS records even though they have DNS operators to use DNSSEC. For example, Cloudflare and CIRA, DNSKEYs and RRSIGs [8]. the registry operator for .ca, are working on a draft standard [13, Our work complements these pieces of prior work, as they mea- 27], which essentially would allow the third-party DNS operator to sured the current status of the low DNSSEC deployment. In contrast, identify the registrars and communicate with them directly to enable we focus primarily on why DNSSEC deployment remains so small or bootstrap DNSSEC using a REST-based [39] protocol (without and why there are high levels of DNSSEC misconfiguration. Our ap- any effort from registrants). proach is to purchase domains from popular registrars and resellers and then examine the process of configuring DNSSEC for these 4 DATASETS domains. We also use considerably broader datasets including all In this section, we present the datasets that we use in this study and second-level domains from three gTLDs (.com, .net, and .org) and briefly examine the overall support for DNSSEC to help motivate two ccTLDs (.nl and .se). the subsequent analysis. Client-side support: To measure client-side support for DNSSEC, studies have used advertisements in embedded webpages to cause 4.1 TLD zone files clients to make DNS requests [4, 29, 40]; their results showed that Our goal is to understand how different registrars have affected about 26% of clients use DNSSEC-validating resolvers, but they DNSSEC’s deployment. To do so, we rely on scans from five TLDs, retry querying to non-validating resolvers if validation fails (de- provided by OpenINTEL [36, 45]: the .com, .net, and .org generic feating the point of DNSSEC). Using a similar technique, Lian TLDs and .se and .nl country-code TLDs. We choose .com, .net, et al. [29] showed that 1% of clients failed to resolve DNSSEC- and .org because they are some of the largest TLDs, and .se and enabled domains at all, while only 3% of clients successfully de- .nl because they are TLDs that show some of the highest rates of tected DNSSEC-signed domains with broken signatures. Finally, DNSSEC deployment [12]. we used the Luminati proxy network [7] to induce DNS requests; Our dataset contains daily scans of all second-level domains in we found that 83% of clients use a resolver that requests DNSSEC these five TLDs. Because of the way the data was collected, our records, but only 12% of them actually bother to validate the re- datasets start at different times: .com, .net, and .org start on March sponse [8]. 1st, 2015, .nl starts on February 9th, 2016, and .se starts on June Registrars Another line of work has examined the role of reg- 7th, 2016. However, all end on December 31st, 2016. Table 1 shows istrars in the deployment of DNSSEC. Recent work has found a summary. that many second-level domains with DNSKEYs fail to upload a DS Each daily scan contains a number of pieces of information for record [8, 43, 44], suggesting that certain registrars may incorrectly each second-level domain in the zone: First, each daily scan con- deploy DNSSEC. Some studies focused on the process of enabling tains the Nameserver (NS) record(s) for each domain, containing the DNSSEC. The Internet Society [22], for example, stressed the role authoritative nameserver(s) of the DNS operator. Second, each scan of registrars in enabling DNSSEC, publishing a list of registrars that contains the Delegation Signer (DS) record for each domain, if it are known to support DNSSEC. The report by York [47] also pointed exists. Third, each scan contains the DNSKEY and DNSKEY RRSIGs for out that the low DNSSEC adoption rate is due to its complexity, and the domain, if any exist. Taken together, the scans represent one of the most effective way to accelerate its deployment is to simplify the the most comprehensive sets of DNSSEC observations. process of signing a domain, such as enabling DNSSEC by default. On the other hand, several studies examined ways to increase 4.2 Identifying the DNS operator DNSSEC deployment, primarily through financial incentives [9, 18– To understand how different registrars behave, we first need to know 20]. Collectively, they showed how financial incentives for a registrar who manages each domain. One possible option is to use WHOIS can lead to higher levels of DNSSEC adoption. Unfortunately, finan- data to obtain registrar information; however the WHOIS infras- cial incentives are only offered by a small number of ccTLDs (e.g., tructure is distributed across registrars and resellers, is heavily rate- .nl, .se, and .cz), and this approach has yet to expand to other limited, and lacks a consistent schema [28]. Moreover, a domain TLDs. could be managed by a reseller, but the WHOIS information may be IMC ’17, November 1–3, 2017, London, United Kingdom T. Chung et al. 100 30 90 80 25 70 20 60 OVH 50 15

record GoDaddy 40 10 30 all domains DS 20 partially deployed domains 5 CDF of Domains 10 fully deployed domains 0 0 1 10 100 1000 10000 Percent of domains with 05/15 08/15 11/15 02/16 05/16 08/16 11/16 DNS Operators # of Date

Figure 3: Cumulative distribution of .com, .org, and .net do- Figure 4: The percentage of all merged domains with DNSKEY mains by DNS operators; shown are all, partially deployed, and and DS records for OVH (free DNSSEC with customer opt-in) fully deployed domains. We can see that 26 DNS operators are GoDaddy (paid DNSSEC). OVH shows a much more robust de- necessary to cover over 50% of all domains. However, only four ployment for DNSSEC. DNS operators are needed to cover 57% partially deployed do- mains, and only two DNS operators cover 54% of fully deployed domains. popular registrars fail to support DNSSEC. For example, the overlap between the 25 most popular registrars overall, and the 25 most pop- served by its partner registrar; this would conflate the behavior of ular registrars among fully deployed domains is only three registrars, the reseller and the registrar. which paints a bleak picture of DNSSEC support among registrars. Instead, we rely on the authoritative nameserver for each domain Hence, to better understand why and how DNSSEC is deployed, we (from the NS record), which is present in our data sets, to indicate the turn our attention to study each registrar’s DNSSEC deployment DNS operator. The identity of the authoritative nameserver serves policy and its impact. our purpose well, as the domain name of the authoritative name- server typically identifies the organization that is actually managing 5 POPULAR REGISTRARS the name. Specifically, we group domains if they share thesame We begin by examining how the most popular DNS registrars support second-level domain in their NS records. For example, if two dif- DNSSEC. To do so, we register domains ourselves and attempt to ferent domains have NS records of ns01.domaincontrol.com and deploy DNSSEC, as well as look at all domains operated by the ns02.domaincontrol.com, we group these under the DNS operator registrar to look for patterns. domaincontrol.com (owned by GoDaddy). 5.1 Methodology 4.3 Overall DNSSEC support To understand how different registrars support DNSSEC, we need to We begin by quickly examining how DNSSEC is deployed across register domains and try to deploy DNSSEC as a customer would. different TLDs. Table 1 shows the number of domains in each of the We focus on the most popular 31 DNS operators that serves DNS TLDs that we study as well as the percentage of domains that have for the most domains across our datasets, which collectively cover DNSKEYs; we can immediately observe that the overall DNSSEC 54.3% of .com, .net, and .org domains in the TLD zone files. For deployment rate in the three generic TLDs is quite low—in line with each of these 31 DNS operators, we proceed as follows: recent studies [8]—but that the percentage is much higher in .nl and (1) We first check whether the DNS operator is a registrar. We .se. We explore this trend in more detail in the subsequent sections. found nine are domain parking services10 and two are third- Next, we examine how the domains that attempt to deploy party DNS operators. We do not study the domain parking DNSSEC are distributed across registrars. Recall that to correctly services further11. The two third-party DNS operators, DNS- deploy DNSSEC, a domain must (a) publish DNSKEYs and RRSIGs Pod and Cloudflare, are studied in Section 7. For the others, for all records, and (b) must have a DS record in the TLD zone. Thus, we purchase a .com domain. we examine how three subsets of the domains are distributed across (2) Next, we examine whether our purchased domain supports registrars: (1) all domains, (2) partially deployed domains, and (3) DNSSEC by default, or if DNSSEC is an opt-in feature. If fully deployed domains. we are unable to find a way to do so, we email the registrar to Figure 3 presents a cumulative distribution function (CDF) of ask if they support DNSSEC. the number of all .com, .net, and .org domains per registrar from the December 31, 2016 snapshot. We make two observations. First, 10Domain parking services are services that hold a given domain, we observe that partially and fully deployed domains show a much but do not provide any services (e.g., a website). Often, such parking different distribution across registrars than the overall data set: 26 services simply serve ads as a way to profit from parked domains. registrars are necessary to cover 50% of all domains, but only four 11These DNS operators are parking services: Ename (1,604,676 registrars are necessary to cover 50% of the partially deployed do- domains), BuyDomains (1,190,973), SedoParking (1,186,838), Do- mains, and only two registrars are necessary to cover 50% of the mainNameSales (1,081,944), CashParking (1,012,114), HugeDo- fully deployed domains. Second, the small number of registrars that mains (807,607), ParkingCrew (660,081), RookMedia (619,254), as host an outsized proportion of DNSSEC domains suggests that many well as the advertising domain ztomy.com (631,381 domains). Understanding the Role of Registrars in DNSSEC Deployment IMC ’17, November 1–3, 2017, London, United Kingdom

Registrar Domains Registrar DNS operator Owner DNS operator with DNSSEC DNSSEC DNSSEC DS upload DS Validation (Domain of Auth. Nameservers) All DNSKEY default opt-in support Web Email DNSKEY Email GoDaddy (domaincontrol.com) 37,652,477 8,139 ✗ ● ● ● - ✗ - Alibaba (hichina.com) 4,292,138 3 ✗ ✗ ✗ - - - - 1AND1 (1and1)13 3,802,824 0 ✗ ✗ ✗ - - - - Network Solution (worldnic.com) 2,534,673 0 ✗ ✗ ✗ - - - - eNom (name-services.com) 2,525,828 10 ✗ ✗ ● ✗ ● ✗ ● Bluehost (bluehost.com) 2,066,503 0 ✗ ✗ ✗ - - - - NameCheap (r...-servers.com) 1,963,717 13,232 ▲ - ● ● - ✗ - WIX (wixdns.net)14 1,887,139 0 ✗ ✗ ✗ - - - - HostGator (hostgator.com) 1,849,735 0 ✗ ✗ ● ● - ✗ - NameBright (namebrightdns.com) 1,823,823 0 ✗ ✗ ● ✗ ● ✗ ▲ register.com (register.com) 1,311,969 0 ✗ ✗ ✗ - - - - OVH (ovh.net) 1,228,578 319,580 ✗ ● ● ● - ● - DreamHost (dreamhost.com) 1,117,902 0 ✗ ✗ ● ✗ ● ● ▲ WordPress (wordpress.com) 888,174 3 ✗ ✗ ✗ - - - - Amazon (aws-dns)15 865,065 0 ✗ ✗ ● ● - ▲ - Xinnet (xincache.com) 836,293 0 ✗ ✗ ✗ - - - - Google (googledomains.com) 813,945 1,94512 ✗ ✗ ● ● - ✗ - 123-reg (123-reg.co.uk) 720,435 1 ✗ ✗ ● ● - ✗ - Yahoo (yahoo.com) 690,823 0 ✗ ✗ ✗ - - - - Rightside (name.com) 663,616 0 ✗ ✗ ● ● - ✗ - Table 2: Table showing the results of our study of registering domains using the 20 registrars among the top 31 DNS operators. ● means that a DNS operator supports DNSSEC and ✗ means that a DNS operator fails to support DNSSEC. If DNS operators support uploading a DS record via web interface, we do not email them to ask if they accept a DS record by email (hence –). Only three them support DNSSEC for domains they manage, and only one of them provides DNSSEC by default for these domains (NameCheap only supports DNSSEC by default for certain plans, hence the ▲ [33]). Only 11 of the registrars support DNSSEC for external nameservers, eight providing web-based forms for uploading DS records and three requiring emails with DS records; only two of these actually validate the provided DS records. Of the three that require emails, two of them do not verify the validity of the incoming email (hence the ▲).

(3) If we manage to enable DNSSEC, we verify that the registrar 5.2 Registrar as a DNS operator correctly deploys all DNSSEC records by checking the exis- tence of a DS record, its accordance with our DNSKEY, and the We first focus on what happens when we use the registrar asthe validity of the RRSIGs. DNS operator for our domain. Surprisingly, only three registrars (GoDaddy, NameCheap, and OVH) out of the 20 we studied support (4) We then disable the registrar hosting, and switch our domain DNSSEC at all when they are the DNS operator. This situation to use an external nameserver we control. Our nameserver is unfortunate, as these cases present an easy path to DNSSEC correctly publishes all DNSSEC records. deployment, as the registrar has full control over the domain and (5) Next, we examine whether the registrar allows us to upload a could create DNSKEYs, RRSIGs, and upload DS records all on its own. DS record via the web interface. If we are unable to find this Even more alarming, among the three registrars that do sup- feature, we email the registrar to ask whether we can provide port DNSSEC when they are the DNS operator, we find that only a DS record some other way. NameCheap enables DNSSEC by default, and they only do so for (6) If we are able to supply a DS record, we verify that our domain some of their DNS plans. In particular, NameCheap offers six differ- correctly deploys all DNSSEC records. ent plans, only three of which support DNSSEC [33]. NameCheap’s (7) Next, if possible, we upload a DS record that does not match free plan, FreeDNS, does not support DNSSEC, partially explaining our published DNSKEY, to check if the registrar validates sup- the low fraction of signed domains. The other two registrars that plied DS records. (8) Finally, if a registrar accepts a DS record via e-mail, we send 12DNSSEC was only available to Google Clould DNS customers it with a different email address (one that was not used to participating in Alpha release [21]. register the domain) to see whether they check that the owner 13The nameservers from 1AND1 Internet (also hosting provider) of the domain is sending the record. share the same second level domain, but are dispersed over the different ccTLDs; we instead group them easily when the second level of NS record is “1and1.” 14Wix does not allow an owner to use external nameservers. Table 2 summarizes the results of this experiment. We make a num- 15The nameservers from Amazon Web Services have a specific ber of observations below. naming convention; awsdns-id.TLD (e.g., awsdns-13.net), which allows grouping them by using a regular expression. IMC ’17, November 1–3, 2017, London, United Kingdom T. Chung et al. support DNSSEC also have different policies: GoDaddy provides and all of them require that the DS record be submitted via email. DNSSEC as a premium package (at a cost of $35 per year), while These case studies are particularly disappointing, as communicating OVH provides DNSSEC for free but only if the customer explicitly DS records over email opens up security vulnerabilities due to the opts in. insecurity of email communication17. From our December 31st, 2016 snapshot, we observe that 25.9% DS record validation We now turn our attention to see how these of domains from OVH, 0.59% of domains from NameCheap, and registrars validate DS records once they have been uploaded. As 0.02% of domains from GoDaddy deploy DNSSEC. As seen in the DS record is a core piece of the trust chain, the uploading pro- Figure 4, to further explore the behavior of customers with these cess must be carefully considered. If a domain owner uploads an registrars, we compare the historic fraction of OVH and GoDaddy incorrect DS record by mistake (e.g., the wrong record, or an incor- domains that have DNSKEYs and DS records.Unsurprisingly, we ob- rectly formatted record), the domain will fail to validate, potentially serve that OVH’s overall DNSSEC adoption ratio is significantly preventing clients from communicating with the domain. higher and growing. However, GoDaddy’s fraction of DNSSEC- We first check whether the registrars validate the uploaded DS support domains is minuscule by comparison: only 7,841 of their record to ensure it is the hash of the domain’s DNSKEY. We observe domains (0.02%) domains have a DNSKEY and DS record in our latest that only two registrars (OVH and DreamHost) out of the 11 reg- snapshot. Thus, we can immediately see the crucial role that free istrars that support DNSSEC when the owner is the DNS operator and default support for DNSSEC can have in successfully deploying correctly validated the DS record before accepting it. Interestingly, DNSSEC. Amazon allows domain owners to upload their DNSKEY instead of We contacted an administrator of one of the registrars to inquire the DS record (and generates the DS record by themselves), which is why they choose to make DNSSEC an opt-in feature rather than a not perfect, as a domain owner could upload a different DNSKEY than default, and why DNSSEC adoption was still low. They reported the one that they are actually serving. The remaining registrars all three potential reasons: (1) the layout of their purchase page, which allow us to publish arbitrary data as DS records. placed the (free) option for DNSSEC on the same page as other Finally, we tested whether the registrars that require emailed DS (paid) options; (2) misconceptions concerning DNSSEC among records would accept an updated DS record without validating the their customers, who believe that DNSSEC causes issues for domain email (as email headers can be forged). We found that two of the name resolution for non-DNSSEC supporting clients; and (3) DNS three registrars that require emailed DS records did not attempt to resolution performance, where requests for records in domains that verify the authenticity of the email, meaning an attacker who wished support DNSSEC may take longer to resolve. to take control of a victim domain could simply forge an email to 5.3 Owner as a DNS operator these registrars. We have contacted these two registrars to inform them of this security vulnerability. Next, we explore how registrars support DNSSEC if the owner acts as the DNS operator (e.g., by hosting their own nameserver). We find 5.4 Summary that only 11 of the 20 registrars listed in Table 2 support DNSSEC for In summary, we observe that DNSSEC support is quite poor among such domains (beyond the three discussed above, this includes eNom, the popular registrars: only three of 20 registrars support DNSSEC HostGator, NameBright, DreamHost, Amazon, Google, 123-Reg, for registrar-hosted domains, and only 11 of them support DNSSEC and Rightside). for externally hosted domains. Of the three that do support DNSSEC Interestingly, only three registrars in this group of twenty (Ama- for registrar-hosted domains, only one is by default and even that zon, Google, and Rightside) present a DS upload menu on their site is only for certain plans; one of the other two even charges domain when a user switches to an external nameserver. 123-reg requires owners for the service. Finally, we observe that only two providers customers to submit a support ticket to upload DS records, and they reject a DS record that does not match the DNSKEY served from the must attach the desired DS record to the ticket. Similarly, HostGator’s external nameservers. The others, however, accept anything as a customers need to have a live web chat with an agent to copy/paste DS record so that a simple copy/paste error could make the entire the DS record into the chat window. While all of 123-reg’s and Host- zone fail to validate (and thus fail to resolve) by DNSSEC-validating Gator’s webpages are HTTPS-secured—at least ensuring that the DS resolvers. record is uploaded through a secure channel—these approaches are 16 manual processes that present numerous opportunities for error. 6 DNSSEC-SUPPORTING REGISTRARS The remaining registrars do not provide any details on their web- pages for users who want to enable DNSSEC on domains operated Measuring the most popular registrars, as we did above, provides an by a third party. We contacted each registrar to ask whether they sup- overall view of support for DNSSEC. To better understand how port DNSSEC in this case, and if so, how we can send the DS record registrars that do support DNSSEC behave, we now repeat the to them. We find that three of these are willing to support DNSSEC, same experiment as above but focus on the registrars that have the largest number of domains with DNSKEYs. Specifically, we first 16As an anecdotal example, we found that one of our DS records extract .com, .net, and .org second-level domains that publish at was accidentally installed by the registrar on someone else’s domain least one DNSKEY record from our latest snapshot (December 31st, due to a mistake by the customer service agent with whom we were 2016). Next, we group them by registrars as we did before. We then chatting. This mistake was fixed right after we raised the issue, but potentially made the other domain inaccessible to DNSSEC-aware 17Ironically, deploying DNSSEC correctly can improve email clients while the DS record was present. security using STARTTLS [? ] and DANE [41]. Understanding the Role of Registrars in DNSSEC Deployment IMC ’17, November 1–3, 2017, London, United Kingdom

Registrar Registrar DNS operator Owner DNS operator Domains DNSSEC Publish DNSSEC DS Upload DS Validation (Domain of Authoritative Nameservers) w/ DNSKEY default DNSKEY DS support Web E-mail DNSKEY Email OVH (ovh.net) 319,580 ✗ ● ● ● ● - ● - Loopia (loopia.se) 131,726 ● ● ▲ ● ✗ ● ✗ ● DomainNameShop (hyp.net) 94,084 ● ● ● ● ● - ✗ - TransIP (transip.net) 91,103 ● ● ● ● ● - ✗ - MeshDigital (domainmonster.com) 60,425 ● ● ✗ ● ✗ ● ✗ ▲ OVH (anycast.me) 52,381 ✗ ● ● ● ● - ● - TransIP (transip.nl) 47,007 ● ● ● ● ● - ✗ - Binero (binero.se) 44,650 ● ● ● ● ✗ ● ✗ ✗ KPN (is.nl) 15,738 ● ● ▲ ✗ - - - - PCExtreme (pcextreme.nl) 14,967 ● ● ● ● ✗ ● ▲ ▲ Antagonist (webhostingserver.nl) 14,806 ● ● ● ✗ - - - - NameCheap (registrar-servers.com) 13,232 ● ● ▲ ● ● - ✗ - Table 3: Table showing the 10 most popular unique registrars in terms of number of domains for which they serve as DNS operator (and their 12 nameserver domains) for domains that publish DNSKEYs in .com, .net, and .org; Most support DNSSEC by default, but four of them support DNSSEC partially depending on the TLD zone (indicated as ▲).

focus on the 12 most popular nameserver domains, representing 10 Next, we examine how well these registrars support DNSSEC different registrars18; they collectively cover 81.6% of the domains when the domain owners (registrants) themselves are the DNS op- with DNSKEYs.19 erator. Overall, we find similar behavior to the popular registrars examined in the previous section: while a higher fraction of these 6.1 Registrar policies registrars support DNSSEC when the owner is the DNS operator Table 3 shows the results of this experiment in a format similar to (8 of 10 registrars do so), only four of them allow for web-based Table 2. At a first glance, we notice that 9 of 10 registrars enable uploads, while the other four require unauthenticated emails with DNSSEC by default; the only exception is OVH (previously studied). DS records. In fact, in a discussion with an administrator of one of This high level of DNSSEC-by-default behavior for registrars with the registrars, we were informed that their decision not to support DS high levels of DNSSEC deployment is not surprising, but shows the records for external nameservers is intentional and meant to prevent crucial role that default support can play. Second, we observe that a potential errors when domain owners copy and paste the DS record few registrars publish DNSKEYs and RRSIGs for all domains, but only manually (i.e., avoiding cases where domain owners accidentally publish DS records for some domains (marked ▲ in the DS column). upload an incorrect DS record and make their entire zone unavailable Taking a closer look at these registrars, we find that they only publish to DNSSEC-supporting clients). This demonstrates that at least one DS records for certain TLDs: Loopia only publishes DS records for registrar is aware that current DS record upload mechanisms are .se domains, KPN only publishes DS records for .nl domains, and error-prone. NameCheap only publishes DS records for .com and .net domains. We emailed all three registrars to inquire why they fail to publish DS records for some TLDs, but were unable to get a precise explanation 6.2 Registrars vs. resellers of this behavior.20 We observe this partial-support behavior to an So far, we have observed that different registrars have different even larger degree with MeshDigital, which publishes DNSKEYs and DNSSEC policies. Now we dig deeper and attempt to explain why RRSIGs for their domains but fails to upload a DS record for almost various registrars have chosen their policies and quantify their effect all domains for which they are the DNS operator; this is in line with on DNSSEC deployment. To this end, we perform a longitudinal recent study [8] showing that only 4 domains out of 60,425 have study for each registrar to answer questions that include: (1) how a DS record. We find the failure to upload DS records by these four does different DNSSEC policies affect deployment of DNSSEC? registrars curious, as domains where DS records are not published (2) do registrars have consistent DNSSEC policies for domains in cannot be validated, foregoing the security that DNSSEC provides. different TLDs? and (3) if they have different policies, why do they differ? 18Two of the registrars own multiple domains used to host DNS Recall that a given registrar may serve as a registrar for certain servers: OVH owns ovh.net and anycast.me, and TransIP owns TLDs (e.g., is accredited to update the registry), may serve as a transip.net and transip.nl. reseller for others (e.g., works with a partner registrar to facilitate 19Note that having a DNSKEY record published does not neces- registration), and may simply not support other TLDs. Thus, if a sarily mean that the domain has correctly deployed DNSSEC; e.g., given registrar is a reseller and wishes to support DNSSEC, both it the corresponding DS records might not be published in the parent and its partner registrar must support DNSSEC (i.e., it must generate zone. DNSKEYs and RRSIGs, and its partner registrar must support the up- 20 For example, one of the registrars repeatedly said that they do loading of DS records). It is therefore crucial to understand the role not sign domains automatically for all TLDs at the current time, but that registrars play for various TLDs to understand their behavior. might starting doing so in the future. IMC ’17, November 1–3, 2017, London, United Kingdom T. Chung et al.

Domain of DNS Registrar Authoritative Nameservers Operator .com .org .net .nl .se ovh.net & anycast.me OVH OVH OVH OVH OVH OVH domaincontrol.com GoDaddy GoDaddy GoDaddy GoDaddy GoDaddy GoDaddy domainmonster.com Mesh Digital Mesh Digital Mesh Digital Mesh Digital Mesh Digital No support hyp.net DomainNameShop DomainNameShop DomainNameShop DomainNameShop No support No support transip.nl & .net TransIP TransIP TransIP TransIP TransIP Key Systems registrar-servers.com NameCheap NameCheap eNom NameCheap No support No support binero.se Binero Binero Binero Binero No support Binero pcextremenl.nl PCExtreme Open Provider Open Provider Open Provider PCExtreme No support webhostingserver.nl Antagonist Open Provider Open Provider Open Provider Antagonist No support loopia.se Loopia Ascio Ascio Ascio Ascio Loopia is.nl KPN Ascio Ascio Ascio KPN Open Provider Table 4: Table showing the 11 DNS operators that support DNSSEC for hosted domains, and the registrar they use for various TLDs. In many cases, these operators are registrars themselves (white background); in other cases, these operators are resellers and use registrars (shown with grey background); finally, some DNS operators do not support certain TLDs (shown with red background).

To answer these questions, we performed a small survey. We for .nl domains (in fact, none of the domains that they are the DNS asked the 10 registrars whether they support each of the five TLDs we operator for in other TLDs have DNSSEC deployed). There could be studied, and asked them for the identity of the third-party registrars two potential reasons why KPN and Loopia support DNSSEC only (if one is used) for each TLD. Table 4 shows the results of this survey, for .nl and .se domains, respectively, and not the others: (1) their listing whether each registrar serves as a registrar or a reseller for registrar partners might not support DNSSEC, or (2) they enable each of the TLDs. As we can see, some registrars are registrars for DNSSEC only if there is a financial incentive. all TLDs (e.g., OVH and GoDaddy), while others are resellers for To test our hypothesis, we purchased a .com domain from Loopia various TLDs; additionally, a number of the registrars do not support and asked them to serve as the DNS operator. We observed that the .nl and .se TLDs at all. Loopia automatically published DNSKEYs and RRSIG for our domain, but did not upload a DS record to the .com registry (thereby making 6.3 Financial incentives DNSSEC for our domain only partially deployed). However, when A common criticism of DNSSEC has been the slow deployment. One we registered a .com domain through Loopia and used an external potential way registries could incentivize greater DNSSEC deploy- nameserver, Loopia was able to upload a DS record for our external ment is by providing discounts for domains that properly support domain. We repeated the same experiment with KPN and found DNSSEC. We now focus on the .nl and .se TLDs, which are the exactly the same behavior: they published DNSKEYs and RRSIGs by TLDs with the largest fraction of DNSSEC-enabled domains [12] default, but only uploaded a DS record after we requested it. The and which provide registrars a discount for DNSSEC-enabled do- take-away from this experiment is that financial incentives are likely mains. We compare the registrar behavior w.r.t .nl and .se to behav- ior w.r.t .com, .net, and .org to explore whether financial incentives 100 serve as a useful tool to incentivize DNSSEC deployment. .com For .nl domains, a registrar receives a e0.28 (∼$0.30) discount 80 .net every year for a .nl domain if it is correctly DNSSEC signed [9, 42]. .org 60 .se Similarly, for .se domains, a registrar used to receive a 10 SEK .nl (∼$1.10) discount every year for a correctly-signed .se domain [18] 40 (it is unclear whether this discount is still active at this time). To fa- record 20 cilitate these discounts, every DNSSEC-signed .nl and .se second- DS KPN (*.is.nl) level domain is tested every day by the registry to ensure it has cor- 0 and 100 rect DNSKEYs, RRSIGs, and DS records [9, 37]. Registrars that have .com many incorrectly configured DNSSEC records21 may not receive 80 .net .org future discounts. 60 DNSKEY

Percent of domains .se To study how registrars behave when DNSSEC is incentivized, .nl 40 we focus on the six registrars that are from the Netherlands (TransIP, with PCExtreme, Antagonist, and KPN) and Sweden (Loopia and Binero). 20 Loopia (*.loopia.se) We group registrars that have similar behavior together. 0 05/15 08/15 11/15 02/16 05/16 08/16 11/16 KPN and Loopia Figure 5 shows the fraction of the domains with DNSKEY and DS records. Interestingly, we find that Loopia only sup- Date ports DNSSEC for .se domains, and KPN only supports DNSSEC Figure 5: The percentage of fully deployed DNSSEC domains 21For example, the .nl registry states that registrars should not for Loopia and KPN. Each registrar supports DNSSEC only in fail validations more than 14 times in six months. their own country’s domain (.se and .nl, respectively). Understanding the Role of Registrars in DNSSEC Deployment IMC ’17, November 1–3, 2017, London, United Kingdom

100 70000 .com 60000 .com 80 .net .net 50000 .org .org 40000 .nl 60 .nl 30000 40

20000 record # of domains 10000 20 0 DS PCExtreme (*.pcextreme.nl) 100 0 .com and 100

record 80 .net .com .org 80 .net 60 .nl .org 60 DNSKEY 40 Percent of domains .se

DNSKEY .nl 20 40 with and 0 20 DS Percent of domains with 05/15 08/15 11/15 02/16 05/16 08/16 11/16 TransIP (*.transip.nl, *.transip.net) 0 Date 05/15 08/15 11/15 02/16 05/16 08/16 11/16 (a) Antagonist (*.webhostingserver.nl) Date

140000 Figure 7: The percentage of domains with DNSKEY and DS 120000 .com record for PCExtreme and TransIP. Both of them have de- .net 100000 .org ployed DNSSEC for almost of their domains, but the DNSSEC 80000 .se adoption rate for the .se domains from TransIP is lower than 60000 the others due to the partial DNSSEC support of its registration 40000 partner (i.e., KeySystems). # of domains 20000 0 100 .com are much lower: 52.7% for Antagonist, and 37.8% for Binero in our

record 80 .net latest snapshots. .org 60 .se Second, we observe that Antagonist’s DNSSEC adoption rate 40 has rapidly increased in all three other TLDs. However, the number DNSKEY 20 of domains for which these two registrars are the DNS operator is

and increasing much more slowly (bottom graph), suggesting that the 0 DS Percent of domains with 05/15 08/15 11/15 02/16 05/16 08/16 11/16 registrars have been enabling DNSSEC for existing customers. In an Date email exchange with Antagonist [24], we were informed that they are a reseller for .com, .net, and .org, and that they switched their (b) Binero (*.binero.se) .com, .net, and .org partner from Direct to OpenProvider in order to support DNSSEC in December 2014. However, the actual domain Figure 6: The percentage of domains with DNSKEY and DS record migration to a new registrar can only happen at the end of the current for Antagonist and Binero. The number of domains for both registration period of a domain, explaining why Antagonist shows registrars do not increase for our measurement period, but An- gradual DNSSEC deployment. Overall, this example shows that the tagonist gradually enabled DNSSEC over time. complex relationship between reseller and registrar can also result in slow deployment of DNSSEC. to play a role in registrar policies: the registrars clearly have the TransIP and PCExtreme Next, we examine the two remaining capability to upload DS records, but only do so by default for domains registrars that serve as resellers: TransIP and PCExtreme. Figure 7 where there is a financial incentive. shows the percentage of domains with DNSSEC that are managed by these two. First, we note that these two registrars support DNSSEC Antagonist and Binero Next, we turn to two other registrars that very well; PCExtreme clearly enabled support for DNSSEC in March show similar behavior. Figure 6 shows the percentage of domains 2015 and the percentage of DNSSEC enabled .com, .net, and .org with DNSSEC (bottom) and the number of domains (top) that are domains jumped from 0.44% to 98.3% in 10 days, even though operated by Antagonist and Binero. Both of these registrars support they are a reseller for all three TLDs. Moreover, this high level of DNSSEC for all TLDs, but we observe two phenomena. First, the DNSSEC support has largely continued: in our latest snapshot, we percentage of domains with DNSSEC is much higher for .nl and observe that 97.0% of all their domains in these TLDs have DS and .se domains, suggesting that the financial incentives may have DNSKEY records. Second, TransIP shows an average 99.2% adoption encouraged their adoption. In fact, 95.4% of .nl domains from rate of DNSSEC for the TLDs when they are themselves a registrar Antagonist and 92.9% of .se domains from Binero have DNSSEC (.com, .net, .org, and .nl), but only 48.4% adoption rate when deployed. However, the DNSSEC adoption ratios in other domains they are a reseller (.se). In an email discussion with a TransIP IMC ’17, November 1–3, 2017, London, United Kingdom T. Chung et al. administrator [6], we were informed that this is due to its registrar 100 for .se, KeySystems, which “enabled DNSSEC at a later date22.” We suspect that the enabling of DNSSEC is only happening upon 80 Cloudflare announced universal DNSSEC domain renewal, similar to Antagonist above. Overall, these results 60 record highlight the challenges for applying consistent DNSSEC policies for registrars who are also resellers for some TLDs. DS 40 20 with

6.4 DS record validation Percent of domains 0 As we did in Section 5.3 for the popular registrars that support the 1.2 domain owner as the DNS operator, we tested whether the registrars 1

that have the largest number of DNSSEC domains validate uploaded record

0.8 records. Surprisingly, we find that even among them only two (OVH 0.6 and PCExtreme) checked the correctness of our uploaded DS records. 0.4 In fact, we observe that PCExtreme takes a unique approach: a DNSKEY 0.2 domain owner can request to publish a DS record without sending with Percent of domains 0 them a DNSKEY nor a DS record. Instead, PCExtreme then fetches 05/15 08/15 11/15 02/16 05/16 08/16 11/16 the DNSKEY records themselves from the authoritative nameserver Date and generates the DS records. This approach represents a trade-off between usability and security: it is less error-prone (to avoid the Figure 8: The percentage of Cloudflare-operated domains that owner having to generate and transmit the DS record), but opens enabled DNSSEC (bottom) and the percentage of these domains a window for an attacker to give PCExtreme an incorrect DNSKEY with DNSKEY that have a DS record as well (top). Roughly 40% of record. Moreover, this approach only works when publishing the Cloudflare-operated domains that attempt to deploy DNSSEC first DS record. When a domain owner generates a new DNSKEY, fail to successfully do so. Note that the range of y-axis of the PCExtreme requests the new DNSKEY by email [30] (with similar bottom graph is between 0 to 1.2. implications as for other registrars that use email-based DS uploads). Of the four registrars that only use email to transmit DS records, we found that only one of them verified the email (by asking fora 7 THIRD-PARTY DNS OPERATORS security “code” bound to the account). Two of the registrars did Finally, we examine the two most popular third-party DNS operators: not verify the email was authentic and simply uploaded the DS DNSPod and Cloudflare, which are the DNS operators for 2,309,215 record. Even worse, we found one registrar that accepted an up- and 1,561,687 .com, .net, and .org domains, respectively. Recall dated DS record for our test domain from a different email address that the third-party operators are not registrars; instead the owner of than the one we used to register the domain.23 We have reported a domain contracts with these third-party operators to outsource the these vulnerabilities to the respective registrars with the hope that management of their domain. they will change their internal processes to properly validate up- After setting up an account with both services, we find that only dated DNSSEC records. Regardless, these examples demonstrate Cloudflare supports DNSSEC. Cloudflare initially announced sup- the challenges that registrars face when trying to properly deploy port for DNSSEC on November 11th, 2015 [5], but the domain DNSSEC. owners must opt-in to use DNSSEC. If the owner does so, Cloud- DNSKEY RRSIG 6.5 Summary flare will generate s and s, and will provide the domain owner with the DS record; the domain owner is responsible for com- In summary, we observed that customers wishing to deploy DNSSEC municating the DS record to their registrar for addition to the registry face challenges even when using the registrars that have the best (as Cloudflare does not have the authority to do so). As a result, if historic support for DNSSEC. Of the top 10 such registrars, most a domain owner fails to properly convey the DS record, or if their support DNSSEC by default when they are the DNS operator, but registrar does not support DNSSEC, they will fail to properly deploy many only partially deploy DNSSEC (i.e., fail to upload DS records). DNSSEC for their domain. Worse, most of the registrars do not validate DS records uploaded We find that only 29,537 (1.9%) of domains using Cloudflare by the user, and fail to verify emails that request a new DS record have a DNSKEY record in our latest snapshot (December 31st, 2016). be published. Overall, these registrars should be lauded for their Interestingly, we also observe that 11,626 (39.3%) of these domains support of DNSSEC, but could still improve their customer support do not have a DS record, suggesting that they failed to upload the and processes to make it easier and more secure for customers to Cloudflare-provided DS record to their registrar. support DNSSEC. To explore this further, Figure 8 shows the number of Cloudflare- hosted domains with DNSKEYs (bottom) and the fraction of those that 22Because KeySystems acts as a registrar and TransIP as a reseller also have DS records (top). We can immediately see the how this com- for .se domain, the financial incentive that the .se registry awards plex procedure leads to poor overall deployment of DNSSEC. We will go to KeySystems. are able to observe a rapid increase in the percentage of Cloudflare 23We used an address that was completely different from the name domains that have DNSKEYs once Cloudflare announced universal we listed in the WHOIS information to send the DS record. DNSSEC. However, even today, 40% of the domain owners who Understanding the Role of Registrars in DNSSEC Deployment IMC ’17, November 1–3, 2017, London, United Kingdom enabled DNSSEC at Cloudflare did not upload their DS record to to enable DNSSEC if they wish, and should move towards a their registrar. Even worse, this portion has remained remarkably standard of DNSSEC-by-default. Today, only one registrar stagnant as the number of domains with DNSKEYs has increased; we among the top 20 had this policy, and only did so for some of observe that 38.7% of domains with DNSKEYs still do not have a DS their domains. record in our latest snapshot (December 31st, 2016). (2) Registries largely support DNSSEC, but we know that only To help remedy this situation, Cloudflare supports the CDS and the .cz registry has recently announced support for CDS and CDNSKEY proposals [26, 46], which would enable Cloudfare to con- CDNSKEY [? ]. These proposals completely remove the friction vey the DS record to the registry themselves (i.e., avoiding the need that customers face when trying to deploy DS records, as they for the user to relay the DS record to the registrar, who relays it to the can effectively communicate directly with the registry. Un- registry). However, this proposal has seen very slow uptake, and we fortunately, we know of no other registries that support CDS know of only one registry (.cz) that has deployed it and one registry and CDNSKEY today, which is unfortunate given how many do- (.ca) that is considering deploying it. mains we find have DNSKEYs deployed but fail to successfully deploy a DS record. 8 CONCLUDING DISCUSSION (3) Until CDS and CDNSKEY are fully supported, registries should We began this paper noting that the low level of adoption of DNSSEC work to make the process of uploading DS records easier and has been widely bemoaned, but relatively little appears to be chang- more secure. Of the registrars we studied, PCExtreme has ing. DNSSEC was originally proposed almost two decades ago, and the easiest and most secure approach, allowing a customer today most TLD registries support it. Unfortunately, less than 1% of to log in and request that the registrar fetch the customer’s .com, .net, and .org second-level domains do, meaning very few DNSKEYs and generate and deploy a DS record. This process DNS responses provide the authenticity and integrity that DNSSEC is much less error-prone than web-based uploads or emails, could in theory provide. Given the powerful attacks [25, 38], the but PCExtreme can further improve this by (a) showing the critical role that DNS plays, and society’s increasing reliance on customer the fetched DNSKEY so the customer can verify this computing infrastructure, the poor deployment of DNSSEC remains process was secure, and (b) allowing customers to switch to a as a significant problem. new key in a similar fashion as well. In this paper, our goal was to shed light on why DNSSEC adoption (4) Certain TLD registries have employed small financial incen- remains so low. To do so, we took the perspective of a customer tives for registrars to deploy DNSSEC; these same TLDs have and attempted to buy domains and deploy DNSSEC through 30 seen dramatically higher levels of DNSSEC deployment. We different registrars. We found the level of support for DNSSEC to be encourage other registries to do the same. For example, .se highly skewed: only three of the top 20 registrars support DNSSEC offered a e0.28 discount per year off of the e3.40 price (an when they are the DNS operator, which is unfortunate as this is the 8.2% discount); the .se registry observed that when they orig- easiest situation for DNSSEC support. Moreover, only 11 of the 20 inally raised their discount from 2.5% to 5%, the number of supported DNSSEC when the owner was the DNS operator, and the DNSSEC-signed domains jumped “literally overnight” [32]. processes for uploading DS records were error-prone (very few of the Even this modest discount becomes significant at the scale registrars did any validation of uploaded data) and opened the door that many registrars operate; since a small number of reg- to security attacks (most registrars that use email for transmittal of istrars own much of the market, even changing just a few DS records did not actually validate the email, and one even accepted registrars’ policies to support DNSSEC may lead to much an email from a different address). Taken together, our results shine higher adoption. a light on the difficulties that domain owners face when trying to deploy DNSSEC. 9 ACKNOWLEDGEMENTS We thank the anonymous reviewers and our shepherd, Mark Allman, Ethical Considerations Our measurements of the (in)security of for their helpful comments. This research was supported in part by uploading DS records brings up a few ethical issues, and we wish NSF grants CNS-1564143 and CNS-1563320, and made possible by to discuss them explicitly before concluding. At all points, we took OpenINTEL (https://www.openintel.nl/), a joint project of SURFnet, steps to ensure our measurements met community ethical standards. the University of Twente, and SIDN. First, we note that we only tested uploading incorrect DS records for the test domains that we bought from each registrar, thus our exper- iment did not impact any other domains. Second, we responsibly REFERENCES disclosed our findings to all of the registrars that have potential secu- [1] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. rity vulnerabilities that we found (e.g., not validating the authenticity DNS Security Introduction and Requirements. RFC 4033, of incoming email or accepting different email address than the one IETF, 2005. http://www.ietf.org/rfc/rfc4033.txt. [2] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. that registered) in order to help them mitigate the issues. Protocol Modifications for the DNS Security Extensions. RFC Recommendations Stepping back, our results indicate there are a 4035, IETF, 2005. http://www.ietf.org/rfc/rfc4035.txt. number of steps that the various DNS entities can take to spur greater [3] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. RFC 4034, adoption of DNSSEC. IETF, 2005. http://www.ietf.org/rfc/rfc4034.txt. (1) Registrars play a critical role in supporting DNSSEC today, [4] APNIC DNSSEC validation rate. https://stats.labs.apnic.net/ but most do so poorly. Registrars should allow all customers dnssec. IMC ’17, November 1–3, 2017, London, United Kingdom T. Chung et al.

[5] Announcing Universal DNSSEC: Secure DNS [30] Loek Geleijn, PCExtreme System Operations. Personal Com- for Every Domain. https://blog.cloudflare.com/ munication. introducing-universal-dnssec. [31] P. Mockapetris. Domain Names - Concepts and Facilities. RFC [6] Arjan van den Berg, TransIP BV. Personal Communication. 1034, IETF, 1987. [7] T. Chung, D. Choffnes, and A. Mislove. Tunneling for Trans- [32] R. Mohan. Slowly cracking the DNSSEC code parency: A Large-Scale Analysis of End-to-End Violations in at ICANN 43. https://afilias.info/blogs/ram-mohan/ the Internet. IMC, 2016. slowly-cracking-dnssec-code-icann-43. [8] T. Chung, R. van Rijswijk-Deij, B. Chandrasekaran, D. [33] Nameservers and TLDs supported/unsupported Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. by DNSSEC. https://www.namecheap.com/ A Longitudinal, End-to-End View of the DNSSEC Ecosystem. support/knowledgebase/article.aspx/9718/2232/ USENIX Security, 2017. nameservers-and-tlds-supportedunsupported-by-dnssec. [9] M. Davids. DNSSEC in .nl. 2016. https://www.sidnlabs.nl/ [34] E. Osterweil, D. Massey, and L. Zhang. Deploying and mon- downloads/presentations/SIDN-Labs-InternetNL-20160316. itoring DNS security (DNSSEC). ACSAC, IEEE Computer pdf. Society, 2009. [10] T. Dai, H. Shulman, and M. Waidner. DNSSEC Misconfigura- [35] E. Osterweil, M. Ryan, D. Massey, and L. Zhang. Quantifying tions in Popular Domains. CANS, 2016. the operational status of the DNSSEC deployment. IMC, 2008. [11] DNSSEC Debugger. http://dnssec-debugger.verisignlabs.com. [36] OpenINTEL. https://www.openintel.nl/. [12] DNSSEC Deployment Report. https://rick.eng.br/dnssecstat/. [37] Report from the IAB workshop on Internet Technology [13] DNSSEC for Registrars. https://www.cloudflare.com/dns/ Adoption and Transition (ITAT). https://tools.ietf.org/id/ dnssec/dnssec-for-registrars. draft-iab-itat-report-01.xml#rfc.section.3.3. [14] DNSSEC signzone manual pages. https://ftp.isc.org/isc/bind9/ [38] S. Son and V. Shmatikov. The hitchhiker’s guide to DNS cache cur/9.9/doc/arm/man.dnssec-signzone.html. poisoning. Security and Privacy in Communication Networks, [15] DNSViz. http://dnsviz.net. Springer, 2010. [16] D. Eastlake. Domain Name System Security Extensions. IETF [39] Z. Shelby. Constrained RESTful Environments (CoRE) Link RFC 2535, IETF, 1999. Format. RFC 6690, IETF, 2012. [17] D. Eastlake and C. Kaufman. Domain Name System Security [40] State of DNSSEC Deployment 2016. https: Extensions. RFC 2065, IETF, 1997. //www.internetsociety.org/sites/default/files/ [18] A.-M. Eklund-Lowinder. DNSSEC Deployment in ISOC-State-of-DNSSEC-Deployment-2016-v1.pdf. Sweden: How Do We Do It? ICANN50, 2014. [41] The DNS-Based Authentication of Named Entities (DANE) https://london50.icann.org/en/schedule/wed-dnssec/ Transport Layer Security (TLS) Protocol: TLSA. RFC 6698, presentation-dnssec-deployment-sweden-25jun14-en.pdf. IETF, 2012. https://tools.ietf.org/html/rfc6698. [19] A. Fant-Eldh and M. Kirvesniemi. Economical and Political [42] A. Veenman. SIDN extends DNSSEC discount until Implications of DNSSEC Deployment. Ph.D. Thesis, KTH July 1, 2018. 2014. https://www.ispam.nl/archives/38957/ Information and Communication Technology, 2010. sidn-verlengt-dnssec-kortingsregeling-tot-1-juli-2018/. [20] Getting DNSSEC deployed: costs and ben- [43] N. L. M. van Adrichem, N. Blenn, A. R. Lua, X. Wang, M. efits. https://www.powerdns.com/resources/ Wasif, F. Fatturrahman, and F. A. Kuipers. A measurement BringingDNSSECtotheaccessproviders.pdf. study of DNSSEC misconfigurations. Sec. Info., 4(8), 2015. [21] Google DNS: DNSSEC Available to Test on Cloud DNS. [44] R. van Rijswijk-Deij, M. Jonker, and A. Sperotto. On the https://groups.google.com/forum/#!topic/cloud-dns-discuss/ Adoption of the Elliptic Curve Digital Signature Algorithm WXNHtB9W0bg. (ECDSA) in DNSSEC. CNSM, 2016. [22] How to Sign and Secure Your Domain with DNSSEC Using [45] R. van Rijswijk-Deij, M. Jonker, A. Sperotto, and A. Pras. Domain Registrars. http://www.internetsociety.org/deploy360/ A High-Performance, Scalable Infrastructure for Large-Scale resources/dnssec-registrars/. Active DNS Measurements. IEEE Journal on Selected Areas [23] ICANN TLD DNSSEC Report. http://stats.research.icann.org/ in Communications, 34(6), 2016. dns/tld report. [46] P. Wouters and O. Gudmundsson. Managing DS Records from [24] Joris de Leeuw, Antagonist. Personal Communication. the Parent via CDS/CDNSKEY. RFC 8078, IETF, 2017. [25] D. Kaminsky. It’s the End of the Cache as We [47] D. York. Challenges and Opportunities in Deploying DNSSEC: Know It. Black Hat, 2008. https://www.blackhat. A progress report on an investigation into DNSSEC deploy- com/presentations/bh-jp-08/bh-jp-08-Kaminsky/ ment. SATIN, 2012. BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf. [48] H. Yang, E. Osterweil, D. Massey, S. Lu, and L. Zhang. De- [26] W. Kumari, O. Gudmundsson, and G. Barwood. Automating ploying cryptography in Internet-scale systems: A case study DNSSEC Delegation Trust Maintenance. RFC 7344, IETF, on DNSSEC. IEEE Transactions on Dependable and Secure 2014. Computing, 8(5), 2011. [27] J. Latour, O. Gudmundsson, P. Wouters, and M. Pounsett. Third [49] Y. Yu, D. Wessels, M. Larson, and L. Zhang. Check-Repeat: Party DNS operator to Registrars/Registries Protocol. IETF, A New Method of Measuring DNSSEC Validating Resolvers. 2017. TMA, 2013. [28] S. Liu, I. Foster, S. Savage, G. M. Voelker, and L. K. Saul. Who is. com? Learning to Parse WHOIS Records. IMC, 2015. [29] W. Lian, E. Rescorla, H. Shacham, and Stefan. Measuring the Practical Impact of DNSSEC Deploymenta. USENIX Security, 2013.